Which companies are improving their encryption?

Douglas Crawford

November 20, 2013

Following the ongoing revelations that the NSA and GHCQ are spying on tech giants’ communications (most notably the recent news that GHCQ as part of its MUSCULAR program tapped the internal information backbones going between Google and Yahoo!’s international servers), together with the news that Microsoft has made no effort to prevent a similar thing happening to its data, the Electronic Frontiers Foundation (EFF) digital freedom advocacy group has asked top internet technology firms about what measures they are taking to improve their encryption.

More specifically, the EFF asked the companies whether they had implemented (or planned to implement) a number of industry recognised best practices with regard to encryption, in order that they not be vulnerable to kinds of intrusion recently suffered by Google and Yahoo! The result is a lovely Infographic.

What do these measures mean?

Encrypts data centre links

As we observed above, one of the things that prompted this report was the NSA and GHCQ’s direct tapping of Google and Yahoo!’s data as it travelled between their cloud servers. To prevent this, strong encryption is needed when transferring data between company servers.

Supports HTTPS

HTTPS is the basic encryption standard used when you connect to a ‘secure’ website (for example it is often used by banking websites). It should be noted that HTTPS has likely been broken by the NSA as part of its assault on international encryption standards, although the use of ephemeral keys (see PFS below) minimises the impact of this.

HTTPS Strict Transport Security (HSTS)

This is a fairly new technology that allows programs to force web browsers to use only SSL/TLS encryption (HTTPS, not HTTP) when using that program. The beauty of HSTS is that all that is required to implement it is adding an HTS-specific HTTP response header to the application, which will be obeyed by most modern browsers.

Forward Secrecy

We cover this (also known as Perfect Forward Secrecy or PFS) in quite some detail here, but basically it means that new encryption keys are generated for each session, so that even if a key is compromised, then only that particular session will be compromised. At present most HHTPS sessions use non-ephemeral (i.e. non-temporary) keys, so if the key is comprised, then all sessions associated with that key are also compromised. PSF generates new keys for each session (known as temporary or ephemeral keys), which prevents this.

STARTTLS

This standard is only relevant to companies that offer email services. It encrypts plain text (TLS or SSL) emails as they travel between SMTP mail servers, but only if both servers are using STARTTLS. If one server is not using STRARTTLS then the email will be sent as plain text. For example, an email sent from a Gmail to a FastMail account will be encrypted (as both use STARTTLS), but if sent to a Yahoo! account it won’t be (as Yahoo! does not use STARTTLS).

Conclusion

The infographic is great reference, and says a lot about which companies care about your privacy, although it is scary how few fully comply with widely recognised standards that are essential for protecting you from unwanted surveillance. Google in particular, although it has cooperated with the NSA in the past, and has numerous privacy issues relating to its own use of users data for advertising purposes, does at least seem to be taking a fairly aggressive stance against government interference, for which we commend it.